Hello,

• To get a VPN tunnel up, the client needs to talk to a DNS server, an authentication server (Mozilla Accounts), and the VPN gateway itself, all before the tunnel exists.

• Excluded small, specific bursts of traffic to subdomains like accounts.firefox.com (OAuth) or vpn.mozilla.org (endpoint). To authenticate, the browser must reach accounts.firefox.com.

• The Public Wi-Fi Catch, that Captive portals (the "I agree to terms" screens) require your browser to talk directly to the local gateway. If the VPN tried to force that through an encrypted tunnel, the gateway would just drop the packets, and you'd never get internet access.

• The ISP sees that you are talking to Mozilla, but they cannot see your credentials, tokens, or what you're doing inside that session.

• Mozilla sees your IP to log you in, there's no way around that on the public internet. However, once that 'handshake' is done, the browsing traffic is decoupled your identity from your browsing. Think of it like a VLAN for your browser traffic, your ISP only sees the encrypted trunk to the proxy, and the proxy is architected to 'forget' who you are the moment the packet is forwarded.

• It’s not about hiding from Mozilla (you’re using their account, after all), but about hiding from the thousands of third-party trackers and your ISP who are currently profiling you.

I hope this helps.

Thanks. I just wasn't sure how Mozilla was handling the handshakes and what would be publicly visible.

I understand the Captive Portal issues with Public Wi-Fi. I must have misread a little about that as I interpreted it as being more than just the actual local Wi-Fi auth to connect.

I wasn't concerned about hiding information from Mozilla itself, other than how you maintain and use that data. Do you keep all the data pushed through your VPN? Would it be accessible to a person if they managed to gain access to your data?

Everything you have provided has helped me understand your security better for sure. What's the greater benefit of using the Mozilla VPN verses the free VPN in the browser?

Mozilla does not log the websites you visit, the DNS queries you make, or the content of your communications.

Τhey see your IP during the handshake for auth. Mozilla’s policy is to store minimal technical data (like connection success/failure) to maintain the service, but this is decoupled from your browsing history.

Ιf someone gained access to the VPN gateway logs, they wouldn't find a history of your browsing because that data simply isn't written to disk. The "keys to the kingdom" for a hacker would be useless for deanonymizing your past activity if the logs don't exist.

Browser VPN (Free) vs. Mozilla VPN (Paid)

The "Greater Benefit" comes down to the OSI Model layers and the System Scope:

1. Built-in Firefox VPN (Free)

• Application Level Only protects traffic inside Firefox tabs
• HTTPS Proxy Uses a secure proxy tunnel (TLS).
• Data Limit 50 GB / month.
• Network Layer for HTTP/S traffic.
• Device Support Only where Firefox runs.

2. Mozilla VPN (Paid)

• System Level. Protects all apps, background processes, and OS updates.
• WireGuard®. A modern, high-performance tunneling protocol.
• Data Limit Unlimited.
• Network Layer Operates at the Network Layer (Layer 3) via a virtual TUN/TAP interface.
• Device Support Up to 5 devices

So use the Free build-in VPN on Firefox if you just want to hide your browsing from your ISP and trackers while surfing. Use the Mozilla VPN if you want to secure your entire "digital pipe" and ensure that no telemetry or background app is leaking your real IP.

Great!! Thank you for answering my questions.